'\" t
.\"     Title: vfs_virusfilter
.\"    Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\"      Date: 03/09/2023
.\"    Manual: System Administration tools
.\"    Source: Samba 4.8
.\"  Language: English
.\"
.TH "VFS_VIRUSFILTER" "8" "03/09/2023" "Samba 4\&.8" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
vfs_virusfilter \- On access virus scanner
.SH "SYNOPSIS"
.HP \w'\ 'u
vfs objects = virusfilter
.SH "DESCRIPTION"
.PP
This is a set of various Samba VFS modules to scan and filter virus files on Samba file services with an anti\-virus scanner\&.
.PP
This module is stackable\&.
.SH "OPTIONS"
.PP
virusfilter:scanner
.RS 4
The antivirus scan\-engine\&.
.RS
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fIsophos\fR, the Sophos AV scanner
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fIfsav\fR, the F\-Secure AV scanner
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fIclamav\fR, the ClamAV scanner
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fIdummy\fR, dummy scanner used in tests\&. Checks against the
\fIinfected files\fR
parameter and flags any name that matches as infected\&.
.RE
.sp
.RE
.RE
.PP
virusfilter:socket path = PATH
.RS 4
Path of local socket for the virus scanner\&.
.sp
If this option is not set, the default path depends on the configured AV scanning engine\&.
.sp
For the
\fIsophos\fRbackend the default is
\fI/var/run/savdi/sssp\&.sock\fR\&.
.sp
For the
\fIfsav\fR
backend the default is
\fI/tmp/\&.fsav\-0\fR\&.
.sp
For the
\fIclamav\fR
backend the default is
\fI/var/run/clamav/clamd\&.ctl\fR\&.
.RE
.PP
virusfilter:connect timeout = 30000
.RS 4
Controls how long to wait on connecting to the virus scanning process before timing out\&. Value is in milliseconds\&.
.sp
If this option is not set, the default is 30000\&.
.RE
.PP
virusfilter:io timeout = 60000
.RS 4
Controls how long to wait on communications with the virus scanning process before timing out\&. Value is in milliseconds\&.
.sp
If this option is not set, the default is 60000\&.
.RE
.PP
virusfilter:scan on open = yes
.RS 4
This option controls whether files are scanned on open\&.
.sp
If this option is not set, the default is yes\&.
.RE
.PP
virusfilter:scan on close = no
.RS 4
This option controls whether files are scanned on close\&.
.sp
If this option is not set, the default is no\&.
.RE
.PP
virusfilter:max file size = 100000000
.RS 4
This is the largest sized file, in bytes, which will be scanned\&.
.sp
If this option is not set, the default is 100MB\&.
.RE
.PP
virusfilter:min file size = 10
.RS 4
This is the smallest sized file, in bytes, which will be scanned\&.
.sp
If this option is not set, the default is 10\&.
.RE
.PP
virusfilter:infected file action = nothing
.RS 4
What to do with an infected file\&. The options are nothing, quarantine, rename, delete\&.
.sp
If this option is not set, the default is nothing\&.
.RE
.PP
virusfilter:infected file errno on open = EACCES
.RS 4
What errno to return on open if the file is infected\&.
.sp
If this option is not set, the default is EACCES\&.
.RE
.PP
virusfilter:infected file errno on close = 0
.RS 4
What errno to return on close if the file is infected\&.
.sp
If this option is not set, the default is 0\&.
.RE
.PP
virusfilter:quarantine directory = PATH
.RS 4
Where to move infected files\&. This path must be an absolute path\&.
.sp
If this option is not set, the default is "\&.quarantine" relative to the share path\&.
.RE
.PP
virusfilter:quarantine prefix = virusfilter\&.
.RS 4
Prefix for quarantined files\&.
.sp
If this option is not set, the default is "virusfilter\&."\&.
.RE
.PP
virusfilter:quarantine suffix = \&.infected
.RS 4
Suffix for quarantined files\&. This option is only used if keep name is true\&. Otherwise it is ignored\&.
.sp
If this option is not set, the default is "\&.infected"\&.
.RE
.PP
virusfilter:rename prefix = virusfilter\&.
.RS 4
Prefix for infected files\&.
.sp
If this option is not set, the default is "virusfilter\&."\&.
.RE
.PP
virusfilter:rename suffix = \&.infected
.RS 4
Suffix for infected files\&.
.sp
If this option is not set, the default is "\&.infected"\&.
.RE
.PP
virusfilter:quarantine keep tree = yes
.RS 4
If keep tree is set, the directory structure relative to the share is maintained in the quarantine directory\&.
.sp
If this option is not set, the default is yes\&.
.RE
.PP
virusfilter:quarantine keep name = yes
.RS 4
Should the file name be left unmodified other than adding a suffix and/or prefix and a random suffix name as defined in virusfilter:rename prefix and virusfilter:rename suffix\&.
.sp
If this option is not set, the default is yes\&.
.RE
.PP
virusfilter:infected file command = @SAMBA_DATADIR@/bin/virusfilter\-notify \-\-mail\-to virusmaster@example\&.com \-\-cc "%U@example\&.com" \-\-from samba@example\&.com \-\-subject\-prefix "Samba: Infected File: "
.RS 4
External command to run on an infected file is found\&.
.sp
If this option is not set, the default is none\&.
.RE
.PP
virusfilter:scan archive = true
.RS 4
This defines whether or not to scan archives\&.
.sp
Sophos and F\-Secure support this and it defaults to false\&.
.RE
.PP
virusfilter:max nested scan archive = 1
.RS 4
This defines the maximum depth to search nested archives\&.
.sp
The Sophos and F\-Secure support this and it defaults to 1\&.
.RE
.PP
virusfilter:scan mime = true
.RS 4
This defines whether or not to scan mime files\&.
.sp
Only the
\fIfsav\fRscanner supports this option and defaults to false\&.
.RE
.PP
virusfilter:scan error command = @SAMBA_DATADIR@/bin/virusfilter\-notify \-\-mail\-to virusmaster@example\&.com \-\-from samba@example\&.com \-\-subject\-prefix "Samba: Scan Error: "
.RS 4
External command to run on scan error\&.
.sp
If this option is not set, the default is none\&.
.RE
.PP
virusfilter:exclude files = empty
.RS 4
Files to exclude from scanning\&.
.sp
If this option is not set, the default is empty\&.
.RE
.PP
virusfilter:infected files = empty
.RS 4
Files that virusfilter
\fIdummy\fR
flags as infected\&.
.sp
If this option is not set, the default is empty\&.
.RE
.PP
virusfilter:block access on error = false
.RS 4
Controls whether or not access should be blocked on a scanning error\&.
.sp
If this option is not set, the default is false\&.
.RE
.PP
virusfilter:scan error errno on open = EACCES
.RS 4
What errno to return on open if there is an error in scanning the file and block access on error is true\&.
.sp
If this option is not set, the default is EACCES\&.
.RE
.PP
virusfilter:scan error errno on close = 0
.RS 4
What errno to return on close if there is an error in scanning the file and block access on error is true\&.
.sp
If this option is not set, the default is 0\&.
.RE
.PP
virusfilter:cache entry limit = 100
.RS 4
The maximum number of entries in the scanning results cache\&. Due to how Samba\*(Aqs memcache works, this is approximate\&.
.sp
If this option is not set, the default is 100\&.
.RE
.PP
virusfilter:cache time limit = 10
.RS 4
The maximum number of seconds that a scanning result will stay in the results cache\&. \-1 disables the limit\&. 0 disables caching\&.
.sp
If this option is not set, the default is 10\&.
.RE
.PP
virusfilter:quarantine directory mode = 0755
.RS 4
This is the octet mode for the quarantine directory and its sub\-directories as they are created\&.
.sp
If this option is not set, the default is 0755 or S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH\&.
.sp
Permissions must be such that all users can read and search\&. I\&.E\&. don\*(Aqt mess with this unless you really know what you are doing\&.
.RE
.PP
virusfilter:block suspected file = false
.RS 4
With this option on, suspected malware will be blocked as well\&. Only the
\fIfsav\fRscanner supports this option\&.
.sp
If this option is not set, the default is false\&.
.RE
.SH "NOTES"
.PP
This module can scan other than default streams, if the alternative datastreams are each backed as separate files, such as with the vfs module streams_depot\&.
.PP
For proper operation the streams support module must be before the virusfilter module in your vfs objects list (i\&.e\&. streams_depot must be called before virusfilter module)\&.
.PP
This module is intended for security in depth by providing virus scanning capability on the server\&. It is not intended to be used in lieu of proper client based security\&. Other modules for security may exist and may be desirable for security in depth on the server\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
